Fix rfc2047 decoding buffer overflow

[checkmail.git] / charset.c

diff --git a/charset.c b/charset.c
index 0f766706fcf79ebe4bdd4735e51336acf6b71376..d32a414eead4eacb54fafccc4822931d1b46f640 100644 (file)
--- a/charset.c
+++ b/charset.c
@@ -232,7 +232,8 @@ static const char *find_encoded_word (const char *s, const char **x)
       ;
     if (q[0] != '?' || !strchr ("BbQq", q[1]) || q[2] != '?')
       continue;
-    for (q = q + 3; 0x20 < *q && *q < 0x7f && *q != '?'; q++)
+    /* non-strict check since many MUAs will not encode spaces and question marks */
+    for (q = q + 3; 0x20 <= *q && *q < 0x7f && (*q != '?' || q[1] != '='); q++)
       ;
     if (q[0] != '?' || q[1] != '=')
     {
@@ -362,7 +363,12 @@ static void rfc2047_decode (char **pd)
     }
 
     if (rfc2047_decode_word (d, p, dlen) < 0)
-      strcpy(d, p);
+    {
+      n = q - p;
+      if (n > dlen)
+       n = dlen;
+      memcpy (d, p, n);
+    }
     found_encoded = 1;
     s = q;
     n = strlen (d);